Skip to content

fix(gerrit): prevent path traversal in publish_code_suggestions #2314

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
gvago wants to merge 3 commits into
base: main
Choose a base branch
from
+13 −1
Open

fix(gerrit): prevent path traversal in publish_code_suggestions #2314

Changes from 2 commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
80a4a04
fix(gerrit): prevent path traversal in publish_code_suggestions
gvago Apr 14, 2026
a9332a2
fix: address Qodo review - validate suggestion dict, use relative_to …
gvago Apr 14, 2026
1dcc22e
fix: address Qodo review - remove useless f-string prefix
gvago Apr 15, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 13 additions & 1 deletion pr_agent/git_providers/gerrit_provider.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -342,10 +342,22 @@ def split_suggestion(self, msg) -> tuple[str, str]:

def publish_code_suggestions(self, code_suggestions: list):
msg = []
repo_root = pathlib.Path(self.repo_path).resolve()
for suggestion in code_suggestions:
# Validate suggestion structure before accessing keys
if not isinstance(suggestion, dict) or not isinstance(suggestion.get("relevant_file"), str):
get_logger().warning(f"Skipping malformed suggestion: missing or invalid 'relevant_file'")
Copy link
Copy Markdown
Contributor

@qodo-free-for-open-source-projects qodo-free-for-open-source-projects Bot Apr 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Action required

1. Useless f-string in warning 📘 Rule violation ⚙ Maintainability

get_logger().warning(f"...") is an f-string with no interpolation, which will trigger Ruff’s
F541 and can fail CI linting. This introduces a repository lint/format violation in newly added
code.
Agent Prompt 
## Issue description
A new `warning()` call uses an f-string without any interpolation (`f"..."`), which Ruff flags (F541) and may fail CI.

## Issue Context
This line logs a static message and does not need f-string formatting.

## Fix Focus Areas
- pr_agent/git_providers/gerrit_provider.py[349-349]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

continue
# Sanitize file path to prevent directory traversal
try:
target_path = (repo_root / suggestion["relevant_file"]).resolve()
target_path.relative_to(repo_root)
except ValueError:
get_logger().warning(f"Skipping suggestion with path traversal: {suggestion['relevant_file']}")
continue
Comment thread
qodo-free-for-open-source-projects[bot] marked this conversation as resolved.
description, code = self.split_suggestion(suggestion['body'])
add_suggestion(
pathlib.Path(self.repo_path) / suggestion["relevant_file"],
target_path,
code,
suggestion["relevant_lines_start"],
suggestion["relevant_lines_end"],
Expand Down
Loading